Contents

About

The LeFun C1 wireless surveillance camera is a network (Wifi/Ethernet) camera w/ IR LEDs provided by LeFun and available on Amazon.com.

Disassembly

The base of the camera is attached with four small phillips screws hidden under silicone rubber feet. Remove all four, the base and board should be open to you.

UART

A Login Console is presented on UART (3.3v) at 38400 baud. The pinout for UART can be found below.

Exploitation

U-Boot is available on boot and can probably be init hijacked, thankfully there is a better option that does not require access to the internals.

The firmware on this model was not available for download elsewhere and I didn't feel like waiting on the firmware to download over the uart at 38.4k baud so we will resort to the hot air and minipro TL866CS. SPI flash model mxic25l12835f was removed and dumped, the issue I had was that from 0x0 to 0xC00000 every 4 bytes were swapped.

It looks like they are generating a new root password after rebooting. Everything is still running as root and the password is in a file at /tmp/pass.debug, we should be able to get in over the serial line but that’s not very sexy.
A look into /project/apps/app/ipc/data/sh/dev_telnet.sh gives us another option.